Issue
I've setup nginx 1.14.2 on my remote server running Debian 10.6.
My test site index.html located in /var/www/my-site/
is thus far broadcast well by nginx, when it only has to provide the HTML source code!
However, external CSS or image files fail to be loaded, it seems. The files are located in /var/www/my-site/css
and /var/www/my-site/images
respectively.
Here's my nginx.conf from /etc/nginx
, which I only lightly modified by adding a buffer policy, protection against click jacking, and removing older SSL formats:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Buffer Policy
##
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
##
# Avoid Clickjacking Attacks
##
add_header X-Frame-Options "SAMEORIGIN";
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
And here's my custom my-site.net config from /etc/nginx/sites-available
, which was initialized from the /etc/nginx/sites-available/default
:
# Custom my-site.net configuration
#
server {
root /var/www/my-site.net;
index index.html index.htm index.nginx-debian.html;
server_name my-site.net www.my-site.net;
##
# Deny Automated User Agents
##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Get rid of unwanted HTTP methods
limit_except GET HEAD POST { deny all; }
}
##
# Stop deep or hot linking
##
location /images/ {
valid_referers none blocked www.my-site.net my-site.net;
if ($invalid_referer) {
return 403;
}
}
##
# Certbot Let's Encrypt! SSL
##
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my-site.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my-site.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server {
if ($host = www.my-site.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = my-site.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.my-site.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = my-site.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name my-site.net my-site.net;
return 404; # managed by Certbot
}
I've for instance tried to add the lines below to my server block. However, I always get a config error when I try to reload nginx.
location \images\ {
root /var/www/my-site;
}
I don't get it! I do have to make subdirectories of the root directory available like this don't I? Or am I getting something totally wrong?
Thanks.
Solution
Since nobody was able to reply to me, here's how I finally got it working.
My FIRST ISSUE was with permissions and file ownership:
/var/www
was owned by the root
user and group, as were all its subdirectories and files. nginx thus wasn't able to read any file - even if configured right -, except weirdly my index.html from /var/www/my-site
(which I don't quite understand as of now).
To remedy this, I first changed the owner and group of /var/www/my-site
and all its subdirectories and files to www-data
, instead of root
. www-data
seems to be the default user, defined by nginx. It should be specified at the top of the nginx.conf from /etc/nginx
as user www-data
.
sudo chown -R www-data:www-data /var/www/my-site
After that I also set the SetGID permission flags s
for the www-data
group and the /var/www/my-site
directory and its subdirectories (not the files though).
sudo chmod g+s /var/www/my-site /var/www/my-site/images /var/www/my-site/css
This means that all future files, created in /var/www/my-site
and its subdirectories will get the group ownership applied to them (not any new subdirectories though).
Now, I still needed to allow the new group to write to /var/www/my-site
and its subdirectories with the appropriate permissions (i.e. rwxrwxrx
= 775):
sudo chmod -R 775 /var/www/my-site
Lastly, I added myself - the non-root
user - to the www-data
group, in order to be able to upload (or write) files with for instance SFTP.
sudo usermod -a -G www-data [my username]
a
means "append", and -G www-data
"to the existing group www-data
".
My SECOND ISSUE was in the my-site.net config from /etc/nginx/sites-available
, which was initially copied from /etc/nginx/sites-available/default
.
Turns out that in my case, I only needed to specify the relevant subdirectories of /var/www/my-site
, which is the nginx root (cf. server {...}
block), as location
s.
I already had /var/www/my-site/images
set up with this snippet that is meant to prevent hot or deep linking of images:
location /images/ {
valid_referers none blocked www.my-site.net my-site.net;
if ($invalid_referer) {
return 403;
}
}
All that remained was to specify another location for /var/www/my-site/css
:
location /css/ {
}
Finally, I saved the config and reloaded nginx and everything worked!
Answered By - St4rb0y Answer Checked By - Robin (WPSolving Admin)